AST-09: Secure Disposal, Destruction or Re-Use of Equipment

AST 10 — Critical Identify

Mechanisms exist to securely dispose of, destroy or repurpose system components using organization-defined techniques and methods to prevent information being recovered from these components.

Control Question: Does the organization securely dispose of, destroy or repurpose system components using organization-defined techniques and methods to prevent information being recovered from these components?

General (35)

Framework	Mapping Values
AICPA TSC 2017:2022 (used for SOC 2) (source)	C1.2-POF2 CC6.5 CC6.5-POF2 P4.3-POF2 P4.3-POF3
CIS CSC 8.1	3.5
CIS CSC 8.1 IG1	3.5
CIS CSC 8.1 IG2	3.5
CIS CSC 8.1 IG3	3.5
CSA CCM 4	DSP-02
CSA IoT SCF 2	POL-04
ISO 27002 2022	7.14 8.10
ISO 27017 2015	11.2.7
NIST AI 100-1 (AI RMF) 1.0	GOVERN 1.7
NIST 800-37 R2	M-7
NIST 800-53 R4	SA-19(3)
NIST 800-53 R5 (source)	SR-12
NIST 800-53B R5 (low) (source)	SR-12
NIST 800-53B R5 (moderate) (source)	SR-12
NIST 800-53B R5 (high) (source)	SR-12
NIST 800-82 R3 LOW OT Overlay	SR-12
NIST 800-82 R3 MODERATE OT Overlay	SR-12
NIST 800-82 R3 HIGH OT Overlay	SR-12
NIST 800-160	3.4.14
NIST 800-161 R1	SR-12
NIST 800-161 R1 C-SCRM Baseline	SR-12
NIST 800-161 R1 Level 2	SR-12
NIST 800-161 R1 Level 3	SR-12
NIST 800-171 R2 (source)	3.8.3
NIST 800-171 R3 (source)	03.07.04.c 03.08.03
PCI DSS 4.0.1 (source)	9.4.7
PCI DSS 4.0.1 SAQ D Merchant (source)	9.4.7
PCI DSS 4.0.1 SAQ D Service Provider (source)	9.4.7
TISAX ISA 6	3.1.3
SCF CORE Fundamentals	AST-09
SCF CORE Mergers, Acquisitions & Divestitures (MA&D)	AST-09
SCF CORE ESP Level 1 Foundational	AST-09
SCF CORE ESP Level 2 Critical Infrastructure	AST-09
SCF CORE ESP Level 3 Advanced Threats	AST-09

US (22)

Framework	Mapping Values
US C2M2 2.1	ASSET-2.H.MIL3
US CMMC 2.0 Level 1 (source)	MP.L1-B.1.VII
US CMMC 2.0 Level 2 (source)	MP.L2-3.8.3
US CMMC 2.0 Level 3 (source)	MP.L2-3.8.3
US FAR 52.204-21	52.204-21(b)(1)(vii)
US FedRAMP R5 (source)	SR-12
US FedRAMP R5 (low) (source)	SR-12
US FedRAMP R5 (moderate) (source)	SR-12
US FedRAMP R5 (high) (source)	SR-12
US FedRAMP R5 (LI-SaaS) (source)	SR-12
US GLBA CFR 314 2023 (source)	314.4(c)(6)(i)
US HIPAA Administrative Simplification 2013 (source)	164.310(d)(2)(i) 164.310(d)(2)(ii)
US HIPAA Security Rule / NIST SP 800-66 R2 (source)	164.310(d)(2)(i) 164.310(d)(2)(ii)
US HIPAA HICP Small Practice	5.S.C
US HIPAA HICP Medium Practice	5.M.D
US HIPAA HICP Large Practice	5.M.D 5.L.A 9.L.C
US NNPI (unclass)	10.3 10.4 18.5 19.5
US SSA EIESR 8.0	5.8
US - AK PIPA	45.48.500 45.48.510
US - NY DFS 23 NYCRR500 2023 Amd 2	500.13(b)
US - TX BC521	521.052(b)
US - TX DIR Control Standards 2.0	SR-12

EMEA (10)

Framework	Mapping Values
EMEA EU PSD2	24
EMEA Germany C5 2020	AM-04 PI-03
EMEA Israel CDMO 1.0	15.4 17.21
EMEA Saudi Arabia IoT CGIoT-1 2024	2-15-3 2-5-1
EMEA Saudi Arabia ECC-1 2018	2-14-3-4
EMEA Saudi Arabia OTCC-1 2022	2-6-1-3
EMEA Saudi Arabia SACS-002	TPC-19 TPC-66
EMEA Saudi Arabia SAMA CSF 1.0	3.3.11
EMEA Spain CCN-STIC 825	8.5.5 [MP.SI.5]
EMEA UK DEFSTAN 05-138	2323

APAC (7)

Framework	Mapping Values
APAC Australia ISM June 2024	ISM-0311 ISM-0311 ISM-0312 ISM-0315 ISM-0318 ISM-0321 ISM-0330 ISM-0350 ISM-0363 ISM-0370 ISM-0372 ISM-0378 ISM-0839 ISM-1076 ISM-1217 ISM-1218 ISM-1219 ISM-1220 ISM-1221 ISM-1222 ISM-1223 ISM-1225 ISM-1534 ISM-1550 ISM-1641 ISM-1722 ISM-1723 ISM-1724 ISM-1725 ISM-1726 ISM-1727 ISM-1728 ISM-1729 ISM-1741 ISM-1742
APAC India SEBI CSCRF	PR.AA.S14
APAC Japan ISMAP	11.2.7 11.2.7.4.PB
APAC New Zealand HISF 2022	HHSP06 HHSP45 HML06 HML45 HSUP06
APAC New Zealand HISF Suppliers 2023	HSUP06
APAC New Zealand NZISM 3.6	11.2.13.C.01 11.2.13.C.02 11.7.35.C.01 12.6.4.C.01 12.6.4.C.02 12.6.5.C.01 12.6.5.C.02 12.6.5.C.03 12.6.5.C.04 12.6.5.C.05 12.6.8.C.01 12.6.9.C.01 12.6.10.C.01 13.4.19.C.02 13.4.10.C.01 13.5.24.C.01 13.5.24.C.02 13.5.24.C.03 13.5.24.C.04 13.5.25.C.01 13.5.26.C.01 13.5.26.C.02 13.5.26.C.03 13.5.29.C.01 13.5.29.C.02 13.5.30.C.01 13.6.6.C.01 13.6.6.C.02 13.6.7.C.01 13.6.8.C.01 13.6.9.C.01 13.6.10.C.01 13.6.10.C.02 13.6.10.C.03 13.6.11.C.01 13.6.12.C.01
APAC Singapore MAS TRM 2021	11.1.7

Americas (2)

Framework	Mapping Values
Americas Canada OSFI B-13	2.2 2.2.4
Americas Canada ITSP-10-171	03.07.04.C 03.08.03

Capability Maturity Model

Level 0 — Not Performed

There is no evidence of a capability to securely dispose of, destroy or repurpose system components using organization-defined techniques and methods to prevent information being recovered from these components.

Level 1 — Performed Informally

Asset Management (AST) efforts are ad hoc and inconsistent. CMM Level 1 control maturity would reasonably expect all, or at least most, the following criteria to exist:

Asset management is informally assigned as an additional duty to existing IT/cybersecurity personnel.
Asset inventories are performed in an ad hoc manner.
Software licensing is tracked as part of IT asset inventories.
Data process owners maintain limited network diagrams to document the flow of sensitive/regulated data that is specific to their initiative.
IT personnel work with data/process owners to help ensure secure practices are implemented throughout the System Development Lifecycle (SDLC) for all high-value projects.

Level 2 — Planned & Tracked

Asset Management (AST) efforts are requirements-driven and governed at a local/regional level, but are not consistent across the organization. CMM Level 2 control maturity would reasonably expect all, or at least most, the following criteria to exist:

Asset management is decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.
IT/cybersecurity personnel identify cybersecurity and data protection controls that are appropriate to address applicable statutory, regulatory and contractual requirements for asset management.
Administrative processes and technologies focus on protecting High Value Assets (HVAs), including environments where sensitive/regulated data is stored, transmitted and processed.
Asset management is formally assigned as an additional duty to existing IT/cybersecurity personnel.
Technology assets are categorized according to data classification and business criticality.
Inventories cover technology assets in scope for statutory, regulatory and/ or contractual compliance, which includes both physical and virtual assets.
Software licensing is tracked as part of IT asset inventories.
Users are educated on their responsibilities to protect technology assets assigned to them or under their supervision.
IT/cybersecurity personnel maintain network diagrams to document the flow of sensitive/regulated data across the network.
IT personnel collect technology assets and media for destruction when it is no longer needed for business or legal reasons.
IT personnel perform the destruction of technology assets and media in a secure manner or outsource the destruction to a third-party that specializes in technology assets and media destruction, as well as provides evidence of destruction (e.g., certificate of destruction).
Devices are escrowed in storage for a period of time before being wiped and reissued, in case data on the devices are needed for investigations or business purposes.

Level 3 — Well Defined

Asset Management (AST) efforts are standardized across the organization and centrally managed, where technically feasible, to ensure consistency. CMM Level 3 control maturity would reasonably expect all, or at least most, the following criteria to exist:

An IT Asset Management (ITAM) function, or similar function, governs asset management to help ensure compliance with requirements for asset management.
An ITAM function, or similar function, maintains an inventory of IT assets, covering both physical and virtual assets, as well as centrally managed asset ownership assignments.
Technology assets and data are categorized according to data classification and business criticality criteria.
A Cybersecurity Supply Chain Risk Management (C-SCRM) function oversees supply chain risks including the removal and prevention of certain technology services and/ or equipment designated as supply chain threats by a statutory or regulatory body.
Data/process owners document where sensitive/regulated data is stored, transmitted and processed, generating Data Flow Diagrams (DFDs) and network diagrams to document the flow of data.
IT personnel perform the destruction of technology assets and media in a secure manner or outsource the destruction to a third-party that specializes in technology assets and media destruction, as well as provides evidence of destruction (e.g., certificate of destruction).
Organizational standards exist for users to dispose of, destroy or repurpose system components when it is no longer needed for business or legal reasons.
Third-party providers ensure world-wide coverage to securely dispose of, destroy or repurpose system components using organization-defined techniques and methods to prevent such components from entering the gray market.
Devices are escrowed in storage for a period of time before being wiped and reissued, in case data on the devices are needed for investigations or business purposes.

Level 4 — Quantitatively Controlled

See C|P-CMM3. There are no defined C|P-CMM4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to securely dispose of, destroy or repurpose system components using organization-defined techniques and methods to prevent information being recovered from these components.

Level 5 — Continuously Improving

See C|P-CMM4. There are no defined C|P-CMM5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to securely dispose of, destroy or repurpose system components using organization-defined techniques and methods to prevent information being recovered from these components.

Assessment Objectives

AST-09_A01 data, documentation, tools or system components to be disposed of are defined.
AST-09_A02 techniques and methods for disposing of data, documentation, tools or system components are defined.
AST-09_A03 data, documentation, tools or system components are disposed of using techniques and methods.
AST-09_A04 system media is sanitized using sanitization techniques and procedures prior to disposal.
AST-09_A05 system media is sanitized using sanitization techniques and procedures prior to release from organizational control.
AST-09_A06 system media is sanitized using sanitization techniques and procedures prior to release for reuse.
AST-09_A07 sanitization mechanisms with strength and integrity commensurate with the security category or classification of the information are employed.

Evidence Requirements

E-AST-03 Asset Disposal Evidence: Documented evidence of asset disposal/destruction (e.g., asset tracking by serial # for shredding, degaussing, etc.).
Asset Management

Technology Recommendations

Micro/Small

Shred-it (https://shredit.com)
IronMountain (https://ironmountain.com)
BitRaser (https://bitraser.com)
DBAN (https://dban.org)
DoD-strength data erasers

Small

Shred-it (https://shredit.com)
IronMountain (https://ironmountain.com)
BitRaser (https://bitraser.com)
DBAN (https://dban.org)
DoD-strength data erasers

Medium

Shred-it (https://shredit.com)
IronMountain (https://ironmountain.com)
BitRaser (https://bitraser.com)
DBAN (https://dban.org)
DoD-strength data erasers

Large

Shred-it (https://shredit.com)
IronMountain (https://ironmountain.com)
BitRaser (https://bitraser.com)
DBAN (https://dban.org)
DoD-strength data erasers

Enterprise

Shred-it (https://shredit.com)
IronMountain (https://ironmountain.com)
BitRaser (https://bitraser.com)
DBAN (https://dban.org)
DoD-strength data erasers